v0.14.5

bump go version 1.21.8

v0.15.1

0.15.1 (2024/02/28)

Bug Fixes

• cli: Update proxy listener to not close when the number of connections left
  for the session is zero. The listener will refuse new connections when the
  number of connections left is zero but existing connections will be active.
  This fixes a CLI client issue where sessions with max connection count
  configured were closed when the number of connections left hit 0.
  (Issue,
  (PR))
• Fix issue where the websocket connection was throwing closing errors during
  the session teardown.
  (PR)

New and Improved

• feat: support added for tracking and reporting monthly active users for
  the purpose of billing. It adds a new API endpoint,
  /v1/billing:monthly-active-users and new cli command,
  boundary billing monthly-active-users that can be used to view the monthly
  active user counts.

v0.15.0

0.15.0 (2024/01/30)

Deprecations/Changes

• Per the note in Boundary 0.13.0, the previous kms worker method has been
  removed. Since 0.13.0, unless the use_deprecated_kms_auth_method value was
  set on the worker config, the new kms mechanism was already being used; this
  is simply no longer an available option.
• Per the notes in Boundary 0.12.0 and 0.14.0, it is now an error if an address
  on a host or target contains a port. As of this release, this restriction also
  affects existing addresses (not just creation/updating via the API) so any
  existing addresses containing a port will not be able to be used as part of a
  target's session authorization call.
• The grant_scope_id field on roles is now deprecated in favor of the multiple
  grant scope support.
• Per the note in Boundary 0.13.1, the id field in grants has changed to ids
  which allows multiple ids to be included; existing grants submitted to
  Boundary will continue to work, but grants using "id" can no longer be added
  to or set on a role.
• All list endpoints except workers now return the first 1000 items instead
  of all items if no parameters are provided. The number of items returned can
  be configured through the new controller configuration value max_page_size.
  The Admin UI, CLI and api package automatically paginate results.

New and Improved

• Multiple grant scopes in roles: Roles now support multiple grant scopes, along
  with the special values this, children (global/org only) to apply to all
  direct children of a scope, and descendants (global only) to apply to all
  descendants of a scope. These use the new actions add-grant-scopes,
  set-grant-scopes, and remove-grant-scopes on roles. For now the
  grant_scope_id field on roles will continue to be able to be set, which will
  set a single grant scope, but this capability is now deprecated.
• Policies (Enterprise and HCP Boundary only): This release introduces Policies, a
  Boundary resource that represents a Governance Policy to enforce. The first
  implementation targets Storage Policies, which enables administrators to automate
  the process of retention and deletion of Session Recordings, ensuring that they're only
  retaining data that is explicitly required from a security/compliance perspective.
  • ui: Add full UI support for Storage Policies managing the lifecycle of Session Recordings.
    (PR)
• New generic commands read, update, and delete have been added. These
  allow operating on resources by directly specifying the ID of the resource as
  the next parameter (e.g. boundary update ttcp_1234567890). Subtypes do not
  need to be specified (e.g. that command is equivalent to boundary targets update tcp -id ttcp_1234567890), and any flags given after the ID are passed
  through to the type-specific subcommand. Once the ID has been entered,
  autocomplete is also supported.
  (PR)
• The key_id parameter within SSH Certificate Credential Libraries now accepts
  the use of templated parameters
  (PR)
• List endpoint pagination: All list endpoints except workers now support pagination.
  • api: All list endpoints except workers have added support for pagination.
    The api package automatically paginates until the end of the results. The new
    `WithListToken`` option can be used to request a list of updated and deleted resources
    relative to the last result received.
  • config: add new controller field max_page_size for controlling the default and max size
    of pages when paginating through results.
• New command search has been added allowing quick searching of targets or
  sessions. It utilizes a client side cache also added in this release. The
  client side cache starts itself automatically in the background when successfully
  executing any command that communicates with a Boundary controller. To disable
  the client cache from starting automatically set the
  BOUNDARY_SKIP_CACHE_DAEMON environment variable or pass the
  -skip-cache-daemon flag when running a command that may start it.
  Commands daemon start, daemon stop, daemon status, and daemon add-token
  were added to help manage the cache. The cache does not currently work with
  Boundary instances that require the use of client side certs.

v0.14.3

0.14.3 (2023/12/05)

New and Improved

• Added the ability to enforce rate limits on the Controller API. This version
  enables rate limits by default. For details on the default rate limits,
  how to configure rate limits, and how to disable rate limiting see the
  noted PR. (PR)
• Add support for OIDC prompts. Using prompts, the Relying Party (RP) can
  customize the authentication and authorization flow to suit their specific
  needs and improve the user experience. [OIDC Authentication request]
  (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) server.
  (PR)

Bug Fixes

• Update go-kms-wrapping/extras/kms dependency to allow external wrappers
  without a key id to be used within a KMS config stanza. Note: this fix allows
  GCP KMS keys to be again with Boundary, which had stopped working in v0.13.0.
  (PR)

• Two Vault client settings were not being properly used when constructing a
  Vault client. (PR)

  The TLS Skip Verify setting was only being set if a CA Cert was also
  configured. This fix sets the TLS Skip Verify when configured regardless of
  other settings.

  The TLS Server Name setting was never being set. Bad programmers. This fix
  now sets it on the Vault client if the Vault Credential Store has been
  configured to use a value for this setting.

v0.14.2

0.14.2 (2023/10/27)

New and Improved

• Expose Valid Principals for Vault SSH Signed Certs: Allow users to add additional valid principals when creating a vault ssh signed cert credential library (PR).

Bug Fixes

• High CPU consumption: A background GRPC connection state check caused high CPU utilization. This was caused by a long running loop that was checking for GRPC connection state changes between a worker and an upstream connection address. The loop was not correctly waiting for GRPC connection state changes before running. The issue was fixed by correctly updating the state that determines when the loop in GRPC connection state check should run. (PR)
• LDAP auth methods: Fix encoding of mTLS client key which prevented Boundary
  from making mTLS connections to an LDAP server (Issue,
  PR).

v0.14.1

0.14.1 (2023/10/17)

Bug Fixes

• deps: Bump Go version to v1.21.3; gRPC to v1.58.3; golang.org/x/net to
  v0.17.0. This is to address a security vulnerability in the HTTP stack where a
  malicious HTTP/2 client which rapidly creates requests and immediately resets
  them can cause excessive server resource consumption.

v0.14.0

0.14.0 (2023/10/10)

Deprecations/Changes

• Per the note in Boundary 0.12.0, the vault credential library subtype has
  now been removed in favor of vault-generic. For example, instead of
  boundary credential-libraries create vault, you must use boundary credential-libraries create vault-generic.
• Per the note in Boundary 0.12.0, errors returned from the cli when using the
  -format=json option will now only use the status_code field. The status
  field has been removed.
• Per the note in Boundary 0.12.0, targets require a default port value. Ports
  defined as part of a host address were ignored but allowed as part of a target
  definition; from 0.14.0 onwards, any port defined on a host address will now
  become an error.
• Targets: Per the note in Boundary 0.10.10, target Application Credentials has
  been renamed to Brokered Credentials. application-credential-source has been
  removed as a field. brokered-credential-source should be used instead.
  (PR, deprecated
  changelog).

New and Improved

• cli: Add support for specifying a command that will be executed on the remote host when
  using the boundary connect ssh subcommand.
  (Issue,
  PR).
• feat: add API support for additional LDAP auth method fields:
  maximum_page_size and dereference_aliases
  (PR).
• feat: add worker upstream connection status to ops health check
  (PR).
• feat: allow HCP cluster id to be sourced from file or env variable
  (PR).
• feat: add support for telemetry events via flag or Boundary configuration
  (requires observation events to be enabled). Deny filter now filters
  coordination worker status from observation events by default. (This behavior
  is overridden by any user specified allow or deny filters)
  (PR).
• ui: Add full UI support for LDAP auth method
  (PR)
• ui: Add new attribute fields to storage bucket to support the assume role service in AWS.
  (PR)

Bug Fixes

• LDAP auth methods: allow bind-dn and bind-password to be updated
  independently. (PR)
• targets: Fix address field not being populated if the number of targets on a
  list returns more than 10000 entries
  (PR)
• cli: Fix issue when using the authenticate command against a password auth
  method on Windows where the password would be swallowed when the login name is
  submitted (PR)
• worker: Fix an issue that could cause intermittent startup issues on slow
  systems (PR)
• cli: Remove websocket max message size. This fixes issues where large message
  sizes are sent to the client from a worker which resulted in the connection
  being terminated, as is the case with an scp download when using an SSH
  Target. (PR)

v0.13.1

0.13.1 (2023/07/10)

New and Improved

• roles: In grants, the id field has been changed to ids (but id will
  still be accepted for now, up until 0.15.0). In the ids field, multiple IDs
  can now be specified in a grant, either via commas (text format) or array
  (JSON format). (PR).
• dev environment: When running boundary dev the initial LDAP auth-method with an
  ID of amldap_1234567890 is now in a public-active state, so it will be returned
  in the response from boundary auth-methods list

Deprecations/Changes

• Grants can now accept more than one ID per grant string (or entry in JSON) via
  the ids parameter. In 0.15.0 the ability to add new grants via the id
  parameter will be removed.

Bug Fixes

• PKI worker authentication: A worker authentication record can be stored more than once, if it matches the
  existing record for that worker auth key ID. Fixes an edge case where a worker attempted authorization
  and the controller successfully stored the worker auth record but went down before returning authorization
  details to the worker. (PR)
• LDAP managed groups: adding/setting/removing a principal to a role now works
  properly when it's an LDAP managed group.
  (PR and
  PR)

v0.13.0

0.13.0 (2023/06/13)

New and Improved

• SSH Session Recordings (Enterprise and HCP Boundary only): SSH targets can now
  be configured to record sessions. Recordings are signed and stored in a
  Storage Bucket. Recordings can be played back in the admin UI.
  • Storage Buckets: This release introduces Storage Buckets, a Boundary
    resource that represents a bucket in an external object store. Storage
    Buckets can be defined at the global or org scope. When associated with an
    SSH target, the storage bucket is used to store session recordings. This
    release includes support for AWS S3 only.
  • BSR (Boundary Session Recording) file format: BSR is a new specification
    that defines a hierarchical directory structure of files and a binary file
    format. The contents of a BSR include all data transmitted between a user
    and a target during a single session, relevant session metadata and summary
    information. The BSR also includes checksum and signature files for
    cryptographically verifying BSR contents, and a set of KMS wrapped keys for
    use in BSR verification. The BSR format is intended to be extensible to
    support various protocols. With this release BSR supports the SSH protocol.
    It also supports converting an SSH channel recording into an
    asciicast
    format that is playable by asciinema.
  • To learn more about this new feature, refer to the
    documentation.
• KMS workers: KMS workers now have feature parity with PKI workers (they
  support multi-hop and Vault private access) and support separate KMSes for
  authenticating downstreams across different networks. See the worker
  configuration documentation
  for more information. (PR)
• roles: Perform additional validity checking on grants at submission time (PR)
• targets: The new default_client_port field allows specifying the default
  port to use on the client side when connecting to a target, unless overridden
  by the client via -listen-port (PR)
• cli/api/sdk: New LDAP auth method type added with support for create, read,
  update, delete, and list (see new cli ldap subcommands available on CRUDL
  operations for examples), as well as the ability to authenticate against it
  via the SDK, CLI, admin UI, and desktop client. (PR)
• ui: Display external names when listing dynamic hosts (PR)
• ui: Add support for LDAP authentication (PR)
• Dynamic Host Catalog: You can now view the AWS or Azure host name when listing hosts in CLI, admin console, and desktop client. (PR)
• Add configuration for license reporting (Enterprise only)

Deprecations/Changes

• With the introduction of the new KMS variant for worker registration (as
  described below), using the deprecated behavior requires opting-in. This is
  only recommended if compatibility with pre-0.13 workers using the KMS auth
  method is required. Requiring opting in removes some potentially confusing
  behavior for deciding when to use the old versus new mechanism. To opt in, add
  use_deprecated_kms_auth_method = true to the worker config block. Note
  that if a 0.13+ worker using KMS connects to a 0.13+ controller using KMS, the
  transition to the new method will happen automatically. To go back to the old
  method after that will require the worker to be deleted and re-added with the
  use_deprecated_kms_auth_method config field specified.

• When grants are added to roles additional validity checking is now performed.
  This extra validity checking is designed to reject grants that are not
  documented grant formats
  or are for combinations of IDs and types that cannot actually be used
  together. These previously would have been accepted without error but would
  never result in permissions being granted, causing confusion. As a result,
  attempting to write such grants into roles may now result in an error; the
  error message gives hints for resolution.

• WithAutomaticVersioning for auth tokens in Go SDK: this option was
  incorrectly being generated for auth token resources, which do not support
  versioning. This is technically a breaking change, but it was a no-op option
  anyways that there was no reason to be using. It has now been removed.

• Plugins: With the introduction of the storage plugin service, the Azure and AWS Host plugin
  repositories have been renamed to drop the host element of the repository name:

  • https://github.com/hashicorp/boundary-plugin-host-aws -> https://github.com/hashicorp/boundary-plugin-aws
  • https://github.com/hashicorp/boundary-plugin-host-azure -> https://github.com/hashicorp/boundary-plugin-azure

  Similarly the plugins/host package has been renamed to plugins/boundary
  (PR1,PR2, PR3, PR4).

• PostgreSQL 12 or greater is now required. PostgreSQL 11 is no longer
  supported.

Bug Fixes

• targets: authorize-session now works properly when using a target's name as
  the identifier and the target name contains one or more slashes (PR)
• resource listing: API requests to list a resource (targets, sessions, users,
  etc) now properly return all resources the callers has appropriate permission
  to list (PR)
• sessions: Fix a bug that contributed to slow response times when listing
  sessions that had a large number of connections (PR)
• ui: Fix client secret bug for OIDC authentication methods(PR)
• ui: Fix linking to a Host from the Host Set screen of a Dynamic Host Catalog (PR)

v0.12.2

0.12.2 (2023/04/04)

Security

• Boundary now uses Go 1.19.8 to address CVE-2023-24536. See the
  Go announcement for
  more details.